Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260938 | CNTR-MK-001180 | SV-260938r1015771_rule | Medium |
| Description |
| Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options. |
| STIG | Date |
| Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-08-27 |
Details
| Check Text (C-64667r966169_chk) |
| The host OS must be locked down so that only authorized users with a client bundle can access docker commands. To ensure that no commands with privilege or user authorizations are present via CLI: Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option. sudo ausearch -k docker | grep exec | grep privileged | grep user If there are any in the output, then this is a finding. |
| Fix Text (F-64575r966170_fix) |
| Docker CLI command must only be run with a client bundle and must not use --privileged or --user option. Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle. |